The recently discovered security vulnerability in one of ICANN’s web sites revealed how much Donuts was willing to pay for contested gTLDs at auction.

This worrying claim emerged during a meeting between registries and the ICANN board of directors at ICANN 53 in Buenos Aires yesterday.

“We were probably the largest victim of the data breach,” Donuts veep Jon Nevett told the board. “We had our financial data reviewed numerous times, dozens of times. We had our relative net worth of our TLDs reviewed, so it was very damaging information.”

He was referring to the misconfiguration in the new gTLD applicants’ portal, which allowed any user to view confidential application attachments belonging to any applicant.

dotBerlin CEO Dirk Krischenowski is suspected of using a bug in ICANN’s new gTLD portal to access hundreds of confidential documents, some containing sensitive financial planning data, belonging to competing gTLD applicants.

That’s according to ICANN documents sent by a source to DI today.

Krischenowski, who has through his lawyer “denied acting improperly or unlawfully”, seems to be the only person ICANN thinks abused its portal’s misconfigured search feature to deliberately access rivals’ secret data.

ICANN said last night that “over 60 searches, resulting in the unauthorized access of more than 200 records, were conducted using a limited set of user credentials”.

But ICANN, in private letters to victims, has been pinning all 60 searches and all 200 access incidents on Krischenowski’s user credentials.

Some of the incidents of unauthorized access were against applicants Krischenowski-run companies were competing against in new gTLD contention sets.

The search terms used to find the private documents included the name of the rival applicant on more than one occasion.

In more than once instance, the data accessed using his credentials was a confidential portion of a rival application explaining the applicant’s “worst case scenario” financial planning, the ICANN letters show.

I’ve reached out to Krischenowski for comment, but ICANN said in its letters to victims:

[Krischenowski] has responded through legal counsel and has denied acting improperly or unlawfully. The user has stated that he is unable to confirm whether he performed the searches or whether the user’s account was used by unauthorized person(s). The user stated that he did not record any information pertaining to other users and that he has not used and will not use the information for any purpose.

Krischenowski is a long-time proponent of the new gTLD program who founded dotBerlin in 2005, many years before it was possible to apply.

Since .berlin launched last year it has added 151,000 domains to its zone file, making it the seventh-largest new gTLD.

A small number of new gTLD registries and/or applicants deliberately exploited ICANN’s new gTLD portal to obtain information on competitors.

That’s my take on ICANN’s latest update about the exploitation of an error in its portal that laid confidential financial and technical data bare for two years.

ICANN said last night:

Based on the information that ICANN has collected to date our investigation leads us to believe that over 60 searches, resulting in the unauthorized access of more than 200 records, were conducted using a limited set of user credentials.

The remaining user credentials, representing the majority of users who viewed data, were either used to:

Access information pertaining to another user through mere inadvertence and the users do not appear to have acted intentionally to obtain such information. Access information pertaining to another user through mere inadvertence and the users do not appear to have acted intentionally to obtain such information. These users have all confirmed that they either did not use or were not aware of having access to the information. Also, they have all confirmed that they will not use any such information for any purpose or convey it to any third party; or

Access information of an organization with which they were affiliated. At the time of the access, they may not have been designated by that organization as an authorized user to access the information.

We can infer from this that the 60 searches, exposing 200 records, were carried out deliberately.

I asked ICANN to put a number on “limited set of user credentials” but it declined.

Almost three quarters of the security breaches logged against ICANN’s new gTLD portal occurred over a three-month period in early 2014, DI can reveal.

Almost every incident of a new gTLD applicant coming across data they weren’t supposed to see — 322 of the 330 total — happened before the end of October last year, ICANN told DI.

Most — 244 of the 330 — happened before April 30 last year.

The first breach, discovered by an independent audit of the portal, was January 22 2014.

ICANN says it was first notified of there being a problem on February 27, 2015.

The improper data disclosures were announced by ICANN last week.

As we reported, a simple configuration error by ICANN in third-party software allowed users of the Global Domains Division portal — all new gTLD applicants — to view confidential data belonging to other applicants.

Documents revealed could have included sensitive financial projections and registry technical details.

My first assumption was that the majority of the incidents — which have been deliberate or accidental — were relatively recent, but that turns out not to be the case.

In fact, if anyone did download data they weren’t supposed to see, most of them did it over a year ago.

ICANN has been notifying applicants and registries about whether their own data was compromised and expects to have told each affected applicant which other applicants could have seen their data before May 27.